donjon 0.0.2 → 0.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +99 -5
- data/lib/donjon/commands/user.rb +8 -1
- data/lib/donjon/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a183f49f2e60ad2ed9aaa0257580a4c7b094cf05
|
|
4
|
+
data.tar.gz: 1bf7b4ae1bd9907f553d1736c4e4eece9349d938
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c5484887af5dca5d4f1ca498d858253ed91a57a11d222d2aa4fad8bd65771d49f44e171e2c28c30abb24dbe836c011a83e2a55d362b4e07be3f898efb30b1afb
|
|
7
|
+
data.tar.gz: 0a3a7f7da362f258fa54e6ba81af5030d3b1aa7c7d3351e78937c36fd20f9e33915de5dade5d4688fc6f49157bfa1bbbbcf65275d294a701d4b98f9cf72cd58a
|
data/README.md
CHANGED
|
@@ -1,16 +1,109 @@
|
|
|
1
1
|
# Donjon
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Donjon is a secure, multi-user store for key-value pairs.
|
|
4
|
+
|
|
5
|
+
Skip to: [Purpose](#purpose) | [Concepts](#concepts) | [Setting
|
|
6
|
+
up](#installation) | [Usage](#usage)
|
|
7
|
+
|
|
8
|
+
## Purpose
|
|
9
|
+
|
|
10
|
+
We built Donjon to share credentials in a (small) devops team, for services where
|
|
11
|
+
single user accounts don't make sense, e.g.:
|
|
12
|
+
|
|
13
|
+
- root passwords for databases and servers
|
|
14
|
+
- root credentials for hosting accounts
|
|
15
|
+
- accounts for web services that don't do multi-user/multi-admin
|
|
16
|
+
- Two-factor tokens for single-user web services.
|
|
17
|
+
|
|
18
|
+
Donjon uses standards for encryption: 2048-bit asymmetric RSA encryption used to
|
|
19
|
+
prime symmetric 256-bit AES CBC encryption with random padding.
|
|
20
|
+
In other words, while the NSA will probably be able to read your data should it
|
|
21
|
+
get its paws on it, it's unlikely Joe Hacker will.
|
|
22
|
+
|
|
23
|
+
[Online tools](https://lastpass.com) exist that serve the same purpose as Donjon, but simply
|
|
24
|
+
put: they're generally closed source and host the data somewhere we don't
|
|
25
|
+
control. We think the inconvenience of not having a cute toolbar icon for
|
|
26
|
+
passwords is trumped by better security.
|
|
27
|
+
|
|
28
|
+
## Concepts
|
|
29
|
+
|
|
30
|
+
A **vault** is a directory managed by Donjon. It contains encrypted key-value
|
|
31
|
+
pairs, and public keys for all allowed users. Each key-value pair lives in its
|
|
32
|
+
own directory. The name of the directory is an obfuscated (hashed) version of
|
|
33
|
+
the key, but it's not encrypted. The directory contains one file per user, each
|
|
34
|
+
containing the key-value pair encrypted with their public key.
|
|
35
|
+
|
|
36
|
+
**Syncing** the vault between users is left as an exercice to users or
|
|
37
|
+
integrators :)
|
|
38
|
+
One option is to use a shared drive (e.g. using a cloud server and
|
|
39
|
+
[SSHFS](http://en.wikipedia.org/wiki/SSHFS)). We prefer to sync the vault
|
|
40
|
+
directory using [Bittorrent Sync](http://www.bittorrent.com/sync) rather than
|
|
41
|
+
leave a copy of it with third parties. Another option is to use Git as a
|
|
42
|
+
distribution mechanism.
|
|
43
|
+
|
|
4
44
|
|
|
5
45
|
## Installation
|
|
6
46
|
|
|
7
|
-
|
|
47
|
+
The setup is slightly different different for new vaults (first subsection below)
|
|
48
|
+
and connecting to an existing vault (second subsection).
|
|
49
|
+
|
|
50
|
+
This section assumes the vault is synced between users using Bittorrent Sync.
|
|
51
|
+
|
|
52
|
+
|
|
53
|
+
### Creating a new vault
|
|
54
|
+
|
|
55
|
+
Install Donjon:
|
|
56
|
+
|
|
57
|
+
$ gem install donjon
|
|
58
|
+
|
|
59
|
+
Run the Donjon configuration:
|
|
60
|
+
|
|
61
|
+
$ dj init
|
|
62
|
+
|
|
63
|
+
Note that while you can re-use an existing private key for Donjon, it must be
|
|
64
|
+
encrypted and be a 2048-bit RSA key.
|
|
65
|
+
|
|
66
|
+
Add, then read a first key-value pair to confirm encryption is working:
|
|
67
|
+
|
|
68
|
+
$ dj config:set TEST=foobar
|
|
69
|
+
$ dj config:get TEST
|
|
70
|
+
TEST: foobar
|
|
71
|
+
|
|
72
|
+
Download, install, and run [Bittorrent Sync](http://www.bittorrent.com/sync/downloads).
|
|
73
|
+
|
|
74
|
+
Add the vault directory you configured during `dj init` to be synced by
|
|
75
|
+
Bittorrent Sync.
|
|
76
|
+
|
|
77
|
+
|
|
78
|
+
### Connecting to an existing vault
|
|
79
|
+
|
|
80
|
+
Download and install [Bittorrent Sync](http://www.bittorrent.com/sync/downloads).
|
|
81
|
+
|
|
82
|
+
Ask a peer already using the vault you're interested in to provide you a "one
|
|
83
|
+
time secret" for the shared vault directory. Add this to Bittorrent Sync, and
|
|
84
|
+
wait for syncing to complete.
|
|
85
|
+
|
|
86
|
+
Install Donjon:
|
|
8
87
|
|
|
9
88
|
$ gem install donjon
|
|
10
89
|
|
|
11
|
-
|
|
90
|
+
Configure Donjon; when prompted for a vault path, enter the path to the relevant
|
|
91
|
+
synced directory:
|
|
92
|
+
|
|
93
|
+
$ dj init
|
|
94
|
+
|
|
95
|
+
At this point your public key has been added to the vault, but you can't access
|
|
96
|
+
any data as it hasn't been encrypted for you. Obtain your public key:
|
|
97
|
+
|
|
98
|
+
$ dj user:key
|
|
99
|
+
|
|
100
|
+
and send it over a reasonably secure medium to your peer. They will then run
|
|
101
|
+
|
|
102
|
+
$ dj user:add <your-username>
|
|
103
|
+
|
|
104
|
+
to encrypt all key-value pairs for your user.
|
|
12
105
|
|
|
13
|
-
|
|
106
|
+
Test that you can read a particular key, and you're all set!
|
|
14
107
|
|
|
15
108
|
|
|
16
109
|
## Usage
|
|
@@ -26,11 +119,12 @@ Commands:
|
|
|
26
119
|
dj help [COMMAND] # Describe available commands or one specific command
|
|
27
120
|
dj init # Creates a new vault, or connects to an existing vault.
|
|
28
121
|
dj user:add NAME [PATH] # Adds user and their public key to the vault. Reads from standard input if no path is given.
|
|
122
|
+
dj user:key # Prints your public key
|
|
29
123
|
```
|
|
30
124
|
|
|
31
125
|
## Contributing
|
|
32
126
|
|
|
33
|
-
1. Fork it ( http://github.com
|
|
127
|
+
1. Fork it ( http://github.com/mezis/donjon/fork )
|
|
34
128
|
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
35
129
|
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
36
130
|
4. Push to the branch (`git push origin my-new-feature`)
|
data/lib/donjon/commands/user.rb
CHANGED
|
@@ -7,6 +7,9 @@ module Donjon
|
|
|
7
7
|
desc 'user:add NAME [PATH]', 'Adds user and their public key to the vault. Reads from standard input if no path is given.'
|
|
8
8
|
decl 'user:add'
|
|
9
9
|
|
|
10
|
+
desc 'user:key', 'Prints your public key'
|
|
11
|
+
decl 'user:key'
|
|
12
|
+
|
|
10
13
|
private
|
|
11
14
|
|
|
12
15
|
def user_add(name, path = nil)
|
|
@@ -21,7 +24,7 @@ module Donjon
|
|
|
21
24
|
key_data << line
|
|
22
25
|
end
|
|
23
26
|
else
|
|
24
|
-
key_data = Pathname.new(
|
|
27
|
+
key_data = Pathname.new(path).expand_path.read
|
|
25
28
|
end
|
|
26
29
|
|
|
27
30
|
key = OpenSSL::PKey::RSA.new(key_data, '').public_key
|
|
@@ -31,6 +34,10 @@ module Donjon
|
|
|
31
34
|
database.update
|
|
32
35
|
say "Success! #{name} has been added to the vault.", [:green, :bold]
|
|
33
36
|
end
|
|
37
|
+
|
|
38
|
+
def user_key
|
|
39
|
+
puts actor.key.public_key.to_pem
|
|
40
|
+
end
|
|
34
41
|
end
|
|
35
42
|
end
|
|
36
43
|
end
|
data/lib/donjon/version.rb
CHANGED